Add some python fixes

JLLeitschuh · Sep 17, 2020 · 6a7fd9f · 6a7fd9f
1 parent 1f0c65d
commit 6a7fd9f
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 19 deletions.
diff --git a/do_security_fix.py b/do_security_fix.py
@@ -2,12 +2,12 @@
 
 import logging.config
 
-import pom_security_fix
+import jhipster_security_fix
 import vulnerability_fix_engine
 
 logging.basicConfig()
 logging.getLogger().setLevel(logging.INFO)
 
 vulnerability_fix_engine.do_execute_fix_module(
-    pom_security_fix.PomVulnerabilityFixModule()
+    jhipster_security_fix.JHipsterVulnerabilityFixModule()
 )
diff --git a/jhipster_security_fix.py b/jhipster_security_fix.py
@@ -1,4 +1,5 @@
 import pathlib
+import textwrap
 from dataclasses import dataclass
 
 import aiofiles
@@ -11,13 +12,23 @@
 class JHipsterVulnerabilityFixModule(VulnerabilityFixModule):
     branch_name: str = 'fix/JLL/jhipster_insecure_rng_vulnerability'
     clone_repos_location: str = 'cloned_repos'
-    data_base_dir = 'insecure_jhipster_rng_data'
-    save_point_location: str = 'save_points'
-    pr_message_file_absolute_path: str = f'{str(pathlib.Path().absolute())}/PR_MESSAGE.md'
+    data_base_dir: str = 'jhipster_rng_vulnerability/data'
+    save_point_location: str = 'jhipster_rng_vulnerability/save_points'
+    pr_message_file_absolute_path: str = f'{str(pathlib.Path().absolute())}/jhipster_rng_vulnerability/PR_MESSAGE.md'
+    commit_message: str = textwrap.dedent('''\
+        CVE-2019-16303 - JHipster Vulnerability Fix - Use CSPRNG in RandomUtil
+        
+        This fixes a security vulnerability in this project where the `RandomUtil.java`
+        file(s) were using an insecure Pseudo Random Number Generator (PRNG) instead of
+        a Cryptographically Secure Pseudo Random Number Generator (CSPRNG) for 
+        security sensitive data.
+        
+        Signed-off-by: Jonathan Leitschuh <[email protected]>
+        ''')
     post_url = 'https://us-central1-glassy-archway-286320.cloudfunctions.net/cwe338'
     session = AsyncSession(n=100)
 
-    def do_fix_vulnerable_file(self, project_name: str, file: str, expected_fix_count: int) -> int:
+    async def do_fix_vulnerable_file(self, project_name: str, file: str, expected_fix_count: int) -> int:
         async with aiofiles.open(file, newline='') as vulnerableFile:
             contents: str = await vulnerableFile.read()
         # noinspection PyUnresolvedReferences

diff --git a/pom_security_fix.py b/pom_security_fix.py
@@ -9,11 +9,11 @@
 from vulnerability_fix_engine import VulnerabilityFixModule
 
 
-@dataclass
+@dataclass()
 class PomVulnerabilityFixModule(VulnerabilityFixModule):
     branch_name: str = 'fix/JLL/use_https_to_resolve_dependencies'
     clone_repos_location: str = 'cloned_repos'
-    data_base_dir = 'insecure_pom_data'
+    data_base_dir: str = 'insecure_pom_data'
     save_point_location: str = 'save_points'
     pr_message_file_absolute_path: str = f'{str(pathlib.Path().absolute())}/PR_MESSAGE.md'
     commit_message: str = textwrap.dedent('''\

diff --git a/vulnerability_fix_engine.py b/vulnerability_fix_engine.py
@@ -315,17 +315,17 @@ async def execute_vulnerability_fixer_engine(engine: VulnerabilityFixerEngine, l
     project_report: VulnerabilityFixReport = await engine.do_fix_vulnerabilities()
     pr_url = ''
     # If the LGTM data is out-of-date, there can be cases where no vulnerabilities are fixed
-    if project_report.vulnerabilities_fixed != 0:
-        await engine.do_create_branch()
-        await engine.do_stage_changes()
-        await engine.do_commit_changes()
-
-        if not engine.project_files.project_name.lower().startswith('jlleitschuh'):
-            await engine.do_do_fork_repository(lock)
-
-        await engine.do_push_changes()
-        pr_url = await engine.do_create_pull_request(lock)
-    await engine.do_create_save_point(project_report, pr_url)
+    # if project_report.vulnerabilities_fixed != 0:
+    #     await engine.do_create_branch()
+    #     await engine.do_stage_changes()
+    #     await engine.do_commit_changes()
+    #
+    #     if not engine.project_files.project_name.lower().startswith('jlleitschuh'):
+    #         await engine.do_do_fork_repository(lock)
+    #
+    #     await engine.do_push_changes()
+    #     pr_url = await engine.do_create_pull_request(lock)
+    # await engine.do_create_save_point(project_report, pr_url)
     return project_report
 
 
@@ -351,6 +351,8 @@ async def _do_execute_fix_module(fix_module: VulnerabilityFixModule):
     print(f'Loading Async Project Executions for {len(vulnerable_projects)} Projects:')
     waiting_reports = []
     for vulnerable_project in vulnerable_projects:
+        if '3dadon/JustSayIt' not in vulnerable_project.project_name:
+            continue
         if is_archived_git_hub_repository(vulnerable_project):
             logging.info(f'Skipping project {vulnerable_project.project_name} since it is archived')
             continue